Hello,
The problem is if you ever let Linux or Android users near your network, they will only connect in an insecure way, at least with EAP-PEAP/MSCHAP.
Linux can be properly configured. Well, depending on the UI used. Android may get there in a few years, but hid the necessary tools from the user and ignored the bug report asking for it for a decade, then closed it unresolved.
Since Android 4.3 the API allows one to pin all security parameters including server name. We make use of that in eduroam with the eduroam CAT app and config files which bring all the needed security settings. It is limited to one root CA though. Since Android 7.0 the API allows multiple trusted root CAs which helps with cert rollover scenarios. Since Android 7.1 the UI exposes the server name field as well (but calling it "Domain" of all things). Manual configuration in a secure way is now possible but still incredibly clumsy compared to .mobileconfig files on iOS for example. That's why we keep our eduroam CAT Android app around :-) But then, who has 7.1 anyway :-)
I did wonder about making FreeRADIUS keep track of the client MAC addresses it's seen. The first time it sees a new MAC address, it *intentionally* returns a bad certificate, and if authentication completes successfully, it puts the user into a different VLAN so they can be isolated. However if the client aborts the authentication exchange a couple of times, the server marks the MAC address as good and then starts using the correct certificate, and returns the correct VLAN.
It would be an interesting project, but I don't have time to implement it :-)
I did play with that a bit... not the first-time-seen part but just randomly sending out a bad cert. It confused clients horribly. I'd think you'd want to serve the correct certificate first, so Apples pin it, then after a successful auth or two test them for compliance.
Trouble is that you are fooling around with your users in first use. If things go sideways on first try (and you make sure it does) then with an impatient user there is no second try, and you lose the customer. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66